Overview

Affected versions of this package are vulnerable to Information Exposure.
The package exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.

Remediation

Upgrade org.apache.hadoop:hadoop-hdfs-client to version 3.0.1, 2.9.1, 2.8.4, 2.7.6 or higher.